CAKED: Threat Modeling for Managed Attribution Part 3

In part 2, I demonstrated how to threat model a simple OSINT scenario. For the final part of this series, I’d like to examine a fictional scenario of active engagement with an overseas illegal marketplace that is operated by the target.

Let’s start off with a quick recap. The threats against managed attribution (MA) are memorable through the acronym CAKED.

Correlation of entities
Attribution of actors
Knowledge of operation
Exposure of aliases
Discovery of resources

And we are considering four kinds of threat actors:

Unprivileged observers
On the wire
On the device
In the conversation

In this example, the operator’s mission is to actively engage with a criminal marketplace. This scenario highlights international complexities; the target webserver is running in Mexico, and there are likely to be threat actors in some of the foreign ISPs.

The operator in this scenario is significantly more vulnerable than in the OSINT scenario from part 2. The target has much greater access to information about the operator. As the hosting webserver, they can see all technical details of the connection and run various tests against the operator’s browser and system to detect unusual signatures.

A viable managed attribution solution needs to prevent the target, or other sympathetic entities, from discovering the existence of the operations, exposing the alias, or attributing anything back to the operator. In this example, there is only a single alias, but if there were more, we would also need to consider preventing correlation of those aliases or any associated infrastructure.

How to Visualize CAKED for Managed Attribution

Pictured below is a possible solution architecture for this example. There are multiple layers of standoff between the operator, the MA service provider, and the target. In cross-border contexts, the regional IPSs and governments are often a bigger concern as threat actors.

This operation also involves direct financial transactions that also need to be protected. The image below illustrates that path. The solution is built using conventional transfers between banks. If the operator were to use bitcoin, it would introduce a new threat exploitable by unprivileged observers.

Let’s examine four threat actors with different views of the solutions.

You can see in the image below that the target website is clearly in the conversation with access to clear text of all communications and meta-data. To avoid exposing the alias and mission, the MA service must ensure that all technical cover support looks realistic and appropriate in the face of sophisticated analysis. I have discussed most of those issues in another cast.

With this design, the alias will appear to be in Brazil using an Argentinian bank for payments. They will have the ability to scan the Brazil exit point, enabling the discovery of other MA resources.

A threat actor with access to the Argentinian banking information would see a Brazilian customer taking funds from a Swiss Bank and using them for transactions with the criminal website. If this pattern is appropriate for the typical visitors to that website, it would not expose the existence of an operation or provide any attribution.

A threat actor on the Brazilian exit server, perhaps a hacker or the hosting company, might be able to infer the existence of the operation by seeing the traffic relaying between Paris and the target. They are also being paid by a Swiss bank, and the exit node is communicating with an Argentinian bank. Careful hardening and monitoring of the exit server can minimize the chances of a successful hack, while thoughtful selection of a trustworthy hosting provider can reduce the chances of hostile intent and monitoring. The threat actor also has very detailed information about the design of the exit node, which might allow discovery of other MA resources on the internet. To mitigate this, you should vary the identifying characteristics between all nodes (perhaps by following the CAKED model).

A threat actor inside the trusted American bank would be able to see that the operator’s organization is engaged in an operation using an MA service. They do not have visibility into what kind of operation it could be, the target, or any of the aliases used. If this knowledge would be problematic, then additional mitigation through a trusted financial intermediary could provide protection.

Again, the process is to iterate this procedure. You need to examine each element and vantage point to look for what threats are possible and decide to take precaution or accept the threat; any new mitigations need to be examined for new vulnerabilities.

For a more detailed look at this model and the acronym CAKED, watch the full video.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
esctx	session	The esctx cookie is set by Microsoft for secure authentication of the users' login details.
JSESSIONID	session	The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application.
stsservicecookie	session	This cookie is set by Microsoft for secure authentication of the users' login details.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
x-ms-gateway-slice	session	This cookie is set by Microsoft for secure authentication of the users' login details.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_UA-37785135-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
personalization_id	2 years	Twitter sets this cookie to integrate and share features for social media and also store information about how the user uses the website, for tracking and targeting.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
buid	1 month	No description available.
fpc	1 month	No description available.
muc_ads	2 years	No description available.
RpsContextCookie	10 minutes	No description available.
visitor_id456132	10 years	This is a cookie pattern that appends a unique identifier for a website visitor, used for tracking purposes. The cookies in this domain have a lifespan of 10 years.
visitor_id456132-hash	10 years	This is a cookie pattern that appends a unique identifier for a website visitor, used for tracking purposes. The cookies in this domain have a lifespan of 10 years.

CAKED: Threat Modeling for Managed Attribution Part 3

Share this post

CAKED: Threat Modeling for Managed Attribution Part 3

How to Visualize CAKED for Managed Attribution

Related Posts